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Swhoami 


e @zerOmem ~ Peter Hlavaty 
e Senior Security Researcher at KeenLab, Tencent 


e MSRC100, pwn2own 
e Focus : kernel / hyperv / mitigations 


e sometimes talk somewhere … 


e wushu player +- © 


Sandbox 


e Restrict resources of target ( process) 
e #syscalls 
e file system 
e registry 
e inter-process interaction 
e Different integrity levels 
e Untrusted 
e App Container 
e Low 
e Medium, .. 


Sandbox attack surface +- 


\ 
© IPC ~ Broker vs worker 
Í 


© Windows ~ kernel syscalls 
| 


© RPC ~ inter process communication 


] 
o 3"d elements ~ Windows Defender ( AV in general) 
? 


Windows kernel ~ attack surface 


w32k attack surface hardening 


4 years ago now 
° Fonts secre 

e TTF emulation in kernel e TTF emulation in kernel user mode 

e Loading custom fonts e Sandboxes low priv proc for custom 
e GDI «GDI -> restricted/no mode 

e 6+ different kernel objects e 6+ different kernel objects 

e *huge* source of UAF, overflows, … e *huge* source of UAF, overflows, ... 

e EMF — *remote* EME *ramote* -> disabled by def 

e User no 


e User mode callbacks machinery e User mode callbacks machinery 


w32k exploitation hardening 


e Restricted resources for exploitation 
e No resources if DisableW32kSystemCalls flag on © 


e Type isolation 
e Tactical mitigations, f.e. tagWnd 


e bugs-- 
e Refactored w32k ( win32k -> win32kfull + win32kbase ) 
e this also left/brings lot of bugs, but showing importance of cleaning up mess 
e Security researchers community support ( msrc100, insider bounties, … ) 
e Internal fuzzing++ ? 


w32k still alive 


e DirectX 

e w32k — user callbacks 

e Small parts of GDI + DComposition 

e New syscalls keep added in new builds 


e ~ no w32k in your target ? 
e w32k is somehow essential of GUI app 
e Bridge from your target to part of app which have access 
e Perhaps you can attack another part of app with w32k on ? 


ntos attack surface 


e TM + CLFS 
e ‘hidden syscalls’ 
e CLFS : Lockdown for sandboxed processes! 
e Well finally, heavy parsing in kernel mode.. 
e Without CLFS backup it is very simple logic 


e However nice connections ~ Manager + Transaction + Enlistment + Resource 
e (A)LPC, Pipe, Sockets, Registry hives 
e Good amount of logic there 
e In SDL quite some time, crucial part of windows kernel! 


e Memory management, Sync, .. 
e +: lots of syscalls! 
e - : logic you can alter is way too simplistic 


RPC — user processes 


e Any process has opened ALPC port 


e Everybody needs to have opened port at least to csrss.exe | 


e Mostly ‘unknown’ area ~ previously little researched 


e https://hakril.net/slides/A view into ALPC RPC pacsec 2017.pdf 


e NtAlpc* ~ undocumented 


e COM using ALPC at the background 


e C++ inter-process interface 


Native code exec 


But, OK .. you got a bug, what’s next ? 


Mitigations on the rise 


e Past years Windows invest heavily into breaking attack surface and 
techniques ! rae 


e Guards : lockdown + filter 


ntoskrnl filter via 


e (k)CFG 

e HVCI Mitigation against 
e VBS native code exec 
e ACG Type Isolation 

e CIG 


Tactical mitigation 


e Jit OoP 


.G, ..G, ..G … wut ? 


e Lots of guards in windows ;) 
e Must read: 
e https://cansecwest.com/slides/2017/CSW2017 Weston- 


Miller Mitigating Native Remote Code Execution.pdf 


e https://github.com/Microsoft/MSRC-Security- 
Research/blob/master/presentations/2018 02 OffensiveCon/The%20Evolution%20 
of %20CFI%20Attacks%20and%20Defenses.pdf 


e How those are enabled for sandboxing : 
e SetProcessMitigationPolicy 
e PROC_THREAD_ATTRIBUTE_MITIGATION_ POLICY of UpdateProcThreadAttribute 


CFG 


VOID Foo{CALLBACK ROUTINE *Cb) { 
if (IsValidtarget (Cb) = = pastel { 
TerminateProcess (}: ; 

en) 


e guard check _icall 


e More about CFG: 


e This is nice article: 


e Covering also mini COOP ;) — check that out 


RFG ~ pulled down, but CET ( check CET!) 


e 2 stacks : Control + Data 


e Control stack no pointer in user mode 
e Itis OK to be write-able ~ therefore with write primitive you can write there 
e But problem : how to find it ? => no leaks == no way ? 

e At each function prolog store return address also to Control stack 


e At each function epilogue check if ControlStack[rsp|==DataStack{rsp] 
e Aka return address match 


e BRILIANT IDEA + DESIGN = no compatibility issues, can plug it right now! 
e Only 5 instruction per function! 


e Key Problems : 
e Race condition -> could be done in stable way 
e Secret based ~ what if is possible to reveal address of control stack without pointer leak ? 


RFG ~ explain in two slides with graphs 


CIG + ACG + Jit OoP : In short 


e Code Integrity (CIG) ~ only signed images can be loaded 
e Ok but we can do RWX + shellcode © 


e Arbitrary code guard (ACG) -> no you can not... 
e No RWX page same time! 
e X pages -> in fact you can not VirtualProtect to Exec* anymore 


e° JIT : but | need it! 
e Nope … nope … nope 
e Process can not have RWX pages nor from Data page make Code page 
e Therefore only different process can do it for you 
e Browser : Jit Process -> Worker process 


Type Isolation 


e Important exploit primitives consists : 


e Structure with control and data parts 
e Control : pointers, sizes 
e Data : controlled data by user 


e Outcome : 
e Data or size overflow lead to full compromise of domain 
e Mitigation : 
e Separate Control & Data part of structure to two different places 
e Crucial : data should not reach control part ~ page guards / different pools 


Tactical mitigation 


e prevalent methodology of misusing object for arbitrary read / write 
e Start with limited read/write 
e Boost it to full read/write to domain 
e Usually pivot-worker schema 


Tactical mitigation == Break particular techniques, one by one! 


How : Introduce safe — checks 
e Buffer ranges 
e Pool limitation 


Outcome : need to chain *limited* read/write primitives 


e Crucial: 
e safe boundaries must not be reachable by our limited write 
e broken for tagWnd ~ check this nice references : 


https://github.com/MortenSchenk/tagWnd-Hardening-Bypass/blob/master/tagWnd/tagWnd/tagWnd.c 
https://improsec.com/blog/hardening-windows-10-with-zero-day-exploit-mitigations-under-the-microscope 


Therefore.. 


e Theory 
e No W^X memory anymore 
e No Arbitrary modules 
e No @rip hijack 
e No return address hijack 
e No Overflows ( buffer or size/counters ) exploitable 
e No/Limited Read/Write primitive 
e Practice 
e Not there yet, most of those bypassable by design limitations 


e However showing interesting shift towards security, does not it ? 
e especially memory corruptions 


Sandbox++ 


When kernel is not a boundary 


virtualization 


e HyperV technology 
e VM machine 
e Well Security designed! 
e Legacy striped 
e (relatively) small ( + heavily audited ) attack surface 
e Mitigations applied 


e WDAG applying HyperV technologies 
e Another layer of sandbox introduced for edge 
e And not only for edge! 


vmwp overview 


e What ? 

e User mode process on host side responsible for running guest-partition 
e Minimum legacy 

e [IO devices 

e No complex structures ( in IO ) 

e Minimal interaction (no Drag&Drop, basic session by default, .. ) 

e Generation2 way to go, however Generation! still default 


e Clean design 

e All mitigations 

e Sandboxed! 

e pwn vmwp complexity ~ remote pwn 


Successful attack in the future (?) 


Get a bug in 
remote target Escape 
( browser, .. ) sandbox 
Get RCE or 
COOP-ish 


style control 


Bypass proc 
restrictions or 


get RCE 
(coop-ish 
style is OK) 
Get bug in 
kernel 


Bypass 
mitigations in 
virtualization 

target 


Get a bug in 
virtualization 


pwn 


Bug is just the start line 


How to approach 


Understanding of attack surface 
e Windows landscape 


Understanding of target 
e Reverse engineering & internals 


Make use of technologies : 
e IntelPt (+ QemuPt) 
e windbg + TTD 
e Qemu + KVM 
e Hypervisors ( tooling + automatization ) 
e BochsPwn reloaded / DigTool alike approaches 


Make use ( and proper understanding ) of “state of the art” tools 
e syzkaller 
© (k)AFL 


… then make your own patches / tools / plugins 


Fuzzing vs Eye-balling 


e Fuzzing : 
e Easy to make dummy fuzzer 
e Easy to overengineer fuzzer and kill its randomness 


° Eyes: 
e You can easily miss trivial bugs 
e Hard to comprehend complex logic 


e Why not combine both ? 
e Make random-enough fuzzing 
e Inject ( to fuzzer ) knowledge from auditing-code 
e Use fuzzer to check some complex logic for you + automate it! 


RCE 


e RCE is not all about browsers! 
e Microsoft Office 


e SMB 
e SMB v1 non default ~ big attack surface 
e non auth attack vector seems finally heavily audited ? 


e Most modern apps connect over internet 


e Skype, Slack, games, … ? 


Other windows cool targets ~ kernel 


e Sockets 

e UoW ( ubuntu on windows ~ WSL) 
e SMB (v1, v2, v3) 

e HyperV ( user, kernel, hypervisor ) 
e VhdParser 

e RDP 

e .. .syS ? UEFI ? 


